“IMG_” Malspam Delivers GlobeImposter Ransomware

I received this malspam sample on Saturday from a friend, so it’s already a couple days old. While this is ancient in malspam years I felt like writing up something since I haven’t done a malspam post in quite some time.

The subject line of the malspam samples that I received all started with “IMG_” and neither of them contained anything in the body. Below are some images of the malspam samples:

Both samples came from Gmail accounts and had attached .zip files. Opening the .zip file shows a .js file, found in %TEMP%:

Both .js files were GlobeImposter downloaders, so executing them generated GET requests for payloads hosted on various domains. I successfully received a payload, even though my samples were days old.

Below is the image of the GET request:

As you can see from the GET request, the user-agent string is “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)”, which is Internet Explorer 6 and Windows 2000. Looking through the .js file shows the user-agent being set:

.JS file decoded and commented out by my friend IRDivision

You can also see how we GET the payloads:

In my sample, I ended up getting the payload from adelaidemotorshow[.]com[.]au/hg65fyJHG, with the backup location being trombositting[.]org/af/hg65fyJHG.

More locations were posted in a very helpful paste by @Racco42, which can also be seen below:

After infection, an .HTML ransom note called RECOVER-FILES-726.html is dropped on the Desktop and in folders containing encrypted files:

Encrypted files are appended with the .726 file extension.

Below is an image of the ransom note, which contains instructions for how to decrypt your files, as well as links to the decryptor sites:

Opening the ransom note also generates GET requests for serv1[.]xyz/counter.php?nu=105&fb=726, which returns your external IP address:

Below are images of the decryptor and “help desk” pages:

They are charging 0.31 bitcoins to decrypt files. I always recommend that people NOT pay ransoms. Instead, look for free decryptors that are released by organizations or by people in the InfoSec community. If there isn’t a free decryptor available then I suggest keeping your encrypted files until (hopefully) one is released.